In huntgroups
TEST NAS-IP-Address == 1.2.3.4
in users
DEFAULT Huntgroup-Name = "TEST", Autz-Type := ADMIN
in radiusd.conf
modules {
ldap ADMIN_user {
server = "ldap"
...
access_attr = "memberUid"
filter="(&(cn=member_list)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"
...
access_attr_used_for_allow = yes
}
...
authorize {
...
Autz-Type ADMIN {
redundant {
ADMIN_User
ADMIN_User_backup_ldap_server
}
notfound = reject
}
...
or
in users
DEFAULT Huntgroup-Name = "TEST", Ldap-Group := ADMIN_user-Ldap-Group
On Fri, 2005-02-25 at 09:47, Peter Hicks wrote:
> Hello
>
> I have a large number of Cisco routers/switches which authenticate back to
> FreeRADIUS 1.0.1 on a Debian box. At present, anyone with a RADIUS login
> may log in to any of the devices.
>
> I've been asked to set up certain users so they are only able to log in to
> a subset of the devices - typically, local administrators at a site.
> Working with huntgroups appears to be the simplest way to do this, however I
> can't work out how to do it.
>
> Documentation appears a little sparse. I'm assuming I need to assign each
> user in the users file in to a group, and FreeRADIUS will take care of the
> authentication.
>
> Does anyone have a working configuration they could post here, and that I
> can hack around to suit my environment?
>
> Best wishes,
>
>
> Peter.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
